Contact me here

Wednesday, March 31, 2004

or one editor’s idiosyncratic view of the recently concluded ECM event by Bryant Duhon.

In his presentation to the recent NCC AIIM meeting, Byrant Duhon described AIIM 2004 Expo as everything better, faster, cheaper, and now it works; no big new technology. He began with a review of the best in show awards and then described some of the trends that caught his eye.

More vendors are offering Section 508 compliant technology. This is great news, and TechnoFlak is pleased to learn that vendors are creating products that are accessible to all.

Bell & Howell offered a scanner they advertised as being able to read doctor’s handwriting. TechnoFlak salutes their marketing operation.

XML technology is not as big as some might expect, but IXIASoft had a XML data base and search engine product.

Duhon spoke about the continuing consolidation of the industry, listing all the recent mergers and acquisitions. (TechnoFlak heard this predicted at the first NCC AIIM meeting in 2002.)

The biggest trend may have been compliance, (HIPPA, Sarabanes-Oxley, etc.) with vendors offering products that would make the user compliant, magically delicious, as Duhon put it. Almost every vendor was compliant with DOD 5015.2 .

There was an increased emphasis on the small to medium business market.

Microsoft had a relatively small booth, but remains the 800 pound gorilla that everyone is watching.

Search (well, finding) information is beginning to be a trend.

After four years we still call it Enterprise Content Management or ECM because, as Duhon put it, we gotta call this industry something, but I would not lead with that with your customers. Wise words from Mr. Duhon, heed them.

Web services were not so prevalent as two years ago. (This surprises TechnoFlak, as I would have thought that web services offers the greatest flexibility to vendors wishing to offer customers incremental functionality.)

The show was well attended, even on the third day. While booths in the front always do the best, even the back wall had good traffic. The last conference session on Wednesday was full. Exhibitors said they had more leads and less tire kickers.

During the question period Duhon said that the Document Imaging and Records Management had the best attended sessions and described Business Process Management as Workflow on steroids.

Why would anyone ever send out a press release in anything but ASCII text? Why would you ever make it difficult to use your press release? Why would you waste bandwidth? Attachments are bait for spam filters, why would you use them?

Once again AIIM has surveyed the Enterprise Content Management (ECM) industry. Corporate and government users, in six countries, mostly English speaking, were surveyed about their present and future requirements. While the results seemed to surprise John Mancini, who presented them at the last meeting of NCC AIIM, they confirmed my long held views about customers. The title of the survey is Back to Basics, the Search for Efficiency and Compliance.

Most customers are looking for Document Control, Records Management/Archiving and Information Capture. Surely this cannot come as any surprise. The creation, management, storage and retrieval of documents will always go to the heart of what this industry is all about. Information capture is simply about bringing paper documents into electronic format, the idea has been around for decades, but most organizations still are not using this technology, or using it for only limited purposes.

The bottom line is still the bottom line. For the most part users still view ECM technologies in terms of expense reduction rather than revenue enhancement. A blinding flash of the obvious. TechnoFlak started in technology selling automatic data collection systems and bar code labels. Much of the fun consisted of going to every imaginable organization, from hospitals to manufacturers and learning how they used information and then figuring out how to collect it automatically, instead of error prone manual systems that took weeks to get information to management. In those days it was called office automation and you were supposed to dramatically reduce labor costs and recover the cost on the investment in a matter of months. Sometime during the last boom it ceased to be about the customer and all the talk was about state-of-the-art cutting-edge-technology. It was about who had the sexiest technology, not who was helping the customer. Then the industry choked on its own hubris and we are still figuring it out.

Wednesday, March 24, 2004

Yes, that was the voice of TechnoFlak talking about spam yesterday on the Kojo Nnamdi Show.

I will simply repeat what I said on the show. We need to turn the logic of spammers against them. They count on one in ten million recipients sending them money. I suggest that each of us, just once a year, fight back.

Pick just one e-mail, print out multiple copies, with complete header, and mail it to every law enforcement and government regulatory agency who could possibly have jurisdiction over a fraudulent e-mail offer. Look up the domain registry of your spammer to determine which state and municipality might have jurisdiction. You can also the search the Registry of Known Spam Operators to find out more about your spammer.

I don’t think so. Many web logs are little more than personal comments on news stories. Some technology web logs have detailed comments on programming, including sample code; but none do comprehensive reporting and product reviews.

Trade publications need to alter their business model to accommodate the small advertiser. Google’s system of advertising that charges on a per-click-through basis is the way of the future. Ziff Davis, IDG, CMP, et al, need create a way small advertisers could purchase Google style ads that would run across their publishing group.

Saturday, March 20, 2004

So do blogs hold the key to seamless sharing of collective corporate intelligence, the holy grail of knowledge management? Web log software is cheaper to install and maintain than many knowledge-sharing programs, and it's extremely simple to use. Knowledge software often requires employees to take both an extra step and extra time to record what they know, and to fit their knowledge into a database of inflexible categories. Internal blogs are more integrated into a worker's regular daily communications. IBM began blogging in December, and by February, some 500 employees in more than 30 countries were using it to discuss software development projects and business strategies. And while blogs' inherently open, anarchic nature may be unsettling, Mike Wing, IBM's vice president of intranet strategy, believes their simplicity and informality could give them an edge. "It may be an easy, comfortable medium for people to be given permission to publish what they feel like publishing," he says.

Friday, March 19, 2004

Congratulations to the winners of the AIIM E-DOC Magazine 2004 Best of Show Awards:

BPM/Workflow* Dralasoft Workflow from Dralasoft, Inc.—for supporting the needs of both the IT and the business user
Capture: Document Imaging* ecNet for eCapture from Captovation, Inc.—for enabling users to collaborate on business processes across the enterprise as well as its ease of use
Capture: Forms Processing* INDICIUS for Invoices from Neurascript Ltd.—for providing a mature, practical, comprehensive solution to classify and process unstructured document and forms
ECM Suites* Stellent Universal Content Management from Stellent, Inc.—for supporting all five content management elements within a single interface and platform
Records Management* FileNet Records Manager from FileNet Corporation—for its practicality in meeting the business needs of records management
Web Content Management* CMS300 Version 4 from Ektron, Inc.—for demonstrating a high level of functionality and capabilities at an attractive price point
Hardware: Storage* EMC Centera from EMC—for its creative use of technology
Hardware: Desktop Scanner* Xerox DocuMate 252 from Visioneer, Inc.— for its speed capabilities and cost efficiency
* Sidekick from Böwe Bell & Howell—for offering a versatile “all-in-one-box” hardware/software solution.
Hardware: Mid-Range Scanner* KODAK i600 Series Scanners from Eastman Kodak Company—for its efficient, feature rich solution
Hardware: Production Scanner* SO Series from Scan-Optics, Inc.— for providing a single platform that accommodates both image-only and OCR scanning needs with the same machine at a low price

- when blogging about people they know personally: 66% of respondents almost never asked permission to do so; whereas, only 9% said they never blogged about people they knew personally.

and

- the frequency with which a blogger writes highly personal things is positively and significantly correlated to how often they get in trouble because of their postings; (r = 0.3, p < 0.01); generally speaking, people have gotten in trouble both with friends and family as well as employers.

This touches on an earlier post about the new problems created by bloggers. Unlike reporters, there are no editors and legal departments to clue us in on what the rules are.

Unless someone is presenting to a public gathering, you need their permission to write about them in your web log. Writing about children (those under the age of 18) is not acceptable, because children cannot reasonably predict what the consequences of appearing in a blog would be.

It is unacceptable to publish e-mail in your web log without prior permission, including e-mail in group discussion lists.

Most of all, try to think about how you would feel, treat others as you would like to be treated.

CJR's Campaign Desk has an interview with Karen Ryan, the PR pro who helped make the now infamous video news release for the Dept. of Health and Human Services. From the article:

There's been a little confusion lately in both journalism and politics over the burning question: Who the hell IS Karen Ryan? So we asked her.

As the New York Times first reported Monday, Ryan appears in a number of video news releases made on behalf of the Health and Human Services Department, which tout the controversial new Medicare law and its supposed benefits. The videos -- which end with the voice of a woman signing off, "In Washington, I'm Karen Ryan reporting." -- ran as news on various local TV stations. (To read the full transcript of one of the "news segments" that ran on WBRZ Baton Rouge, go here.

It is critical to remember that public relations is not about getting favorable media coverage. It is about building a trusting relationship with the public. A skilled flak must be able to predict how something is likely to come across. That includes predicting the level of scrutiny a story is likely to receive. New product launches directed to the trade press are unlikely to receive the kind of scrutiny a politically-charged change in a major federal program will receive. If you do not understand this, you are not doing your job.

-- On Edit. -
Ryan would have had no problem is she had simply said On behalf of the Department of Health and Human Services, I'm Karen Ryan reporting.

Scott Rosenberg has a marvelous column (subscription or day pass required) about the recent SDWest conference, including this funny story:

Bricklin sent waves of laughter through the auditorium by reading a passage from Lammers' interview with Bill Gates in which the young Microsoft founder explained that his work on different versions of Microsoft's BASIC compiler was shaped by looking at how other programmers had gone about the same task. Gates went on to say that young programmers don't need computer science degrees: "The best way to prepare is to write programs, and to study great programs that other people have written. In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating systems."

Bricklin finished reading Gates' words and announced, with an impish smile, "This is where Gates and [Richard] Stallman agree!"

Tuesday, March 16, 2004

I will be writing about the substance of Stallman’s remarks later in the week; but as a flak I would like to say a few words about his presentation. Stallman had just come off a twelve hour flight from Vietnam. Most people would be reduced to babbling in such circumstances, so it is astonishing that he spoke with such eloquence. He had no PowerPoint presentation, but held the audience spellbound for ninety minutes with the story of the GNU operating system, the definition of free software and why it is important. Not once did he resort to jargon. Clearly he has much to teach the industry, both in terms of style and substance, and I would encourage anyone to see him speak, if you have the chance.

Monday, March 15, 2004

I scoffed at industry complaints about various provisions being too hard to implement. Businesses also feared a hodgepodge of privacy laws across the 50 states, but I was skeptical of arguments for federal preemption of state privacy laws.

Older and wiser now, I know that those inconsistent and vague laws can make it tough for IT managers to comply even when they truly want to. The best intentions of those young staff attorneys can cause serious headaches for business folks outside the Capital Beltway, as the first story in this special report shows.

I have said it before and will say it again, it is at least as important for a trade association to be the public's advocate to the industry, as it is to be the industry's advocate to the public. Rather than simply complain about the very real problems of multiple privacy laws, vendors should be working with privacy advocates and legislators to develop standards that will protect privacy.

Roger Hughlett does a great job of describing the battle of state funds for CIT. From his article:

Virginia Gov. Mark Warner is asking lawmakers to cut $2 million this year and 50 percent of remaining funds next year for the Center for Innovative Technology, a move the agency's advocates say will jeopardize its survival.

Funding cuts and questions about its future are not new to CIT. This time, however, the statewide tech advocate and its supporters want to stop the state from bringing its funding to a complete close.

I am torn, as a technology advocate I would like to see the center not only continue, but be expanded. However, there are no good budget choices in Richmond this year and our triple AAA bond rating is at stake. The Governor and General Assembly must do whatever it takes to keep the Commonwealth solvent and trade groups, including technology, must respect that.

Sunday, March 14, 2004

Let's hope she succeeds. The Baltimore Sun gives this account of her efforts:

O'Keefe said that sending the shuttle would not be compatible with the work being done to meet safety guidelines demanded by the board that investigated the Columbia accident. "Could we do this and take the risk? Sure," O'Keefe said. "But somebody else has to make that decision -- not me."

This does not seem in the spirit of Lewis and Clark. And let's face it, the "someone" would probably have to be the president, and he's no Thomas Jefferson. Bush is so obsessed with Mars these days, you'd think there was oil up there.

The success of the Linux computer operating system has fuelled a rush by venture capitalists to invest in a new wave of open source software companies, creating the sort of land-grab mentality last seen during the 1990s technology boom.

We can only hope. Anything that generates investment can only be good news for the technology sector.

Overwhelmed by online news? Instead of wearing out your Web browser's "refresh" command to check for the latest updates, a Really Simple Syndication (RSS) program can fetch the news for you.

RSS lets Web sites publish free "feeds" of their content, which a program called a newsreader collects on a set schedule, displaying new headlines and links for you to read within the newsreader or, with one click, in your Web browser.

Check out the part about Macs-

Mac users, meanwhile, have a much simpler choice: Ranchero Software's NetNewsWire Lite (Mac OS X 10.1 or newer, free at Ranchero Software; scroll down the page for the $40 pay version of NetNewsWire for the link). Besides offering a pleasant, elegant interface, it includes a helpful "subscribe" function, akin to Feed Demon's auto-discover feature, that can sign up for a site's feed automatically.

Mac products, always simpler, easier, with more elegant design. When is the rest of the industry going to get the memo?

Saturday, March 13, 2004

Law enforcement agencies have been increasingly concerned that fast-growing telephone service over the Internet could be a way for terrorists and criminals to evade surveillance. But the petition also moves beyond Internet telephony, leading several technology experts and privacy advocates yesterday to warn that many types of online communication, including instant messages and visits to Web sites, could be covered.

The proposal by the Justice Department, the FBI and the Drug Enforcement Administration could require extensive retooling of existing broadband networks and could impose significant costs, the experts said. Privacy advocates also argue that there are not enough safeguards to prevent the government from intercepting data from innocent users.

This sounds like today's bad idea. Apart from considerations of privacy and civil liberties, will the sort of changes necessary to enable government wiretaps also render networks more susceptible to malicious attacks? And to top it all off, they want consumers to bear the burden of these changes.

Friday, March 12, 2004

During his presentation on metaproramming and software testing, Scott Halloway told the audience now don’t write in your blogs that Scott Halloway said not to test, because I am not saying that. Halloway was aware that he was speaking to a group and that anyone could write about it in their blog. I am guessing many public speakers are not so sophisticated.

In a world where everyone is a journalist, everyone is a public figure. Those of us in public relations owe it to our clients to explain this. Those of us who write blogs are going to have to begin a discussion about when, and under what circumstances, you can write about someone in your blog.

Thursday, March 11, 2004

I was planning to write about Scott Halloway’s presentation to last Tuesday’s Northern Virginia Java User’s Group; but as someone who could not code her way out of a paper bag, it is simply beyond my capabilities to translate it into layman’s terms. Visit Halloway’s blog instead.

Adobe was among the major players with announcements keyed to the AIIM crowd. Adobe unveiled new technology that will add bar codes to PDF formatted documents to speed forms processing, the company said Monday.

Among the first customers of the new technology will be the U.S. tax collection agency, the Internal Revenue Service. The bar codes, which are a "2D" format -- rather than simple lines, as in retail product bar codes, these include more information by using both lines and blocks of ink -- can be added to PDF forms by users equipped with Acrobat Professional 6.0, the company's top-of-the-line PDF authoring software (a plug-in will be provided for the bar code feature) or the upcoming edition of Adobe Designer.

Because content in the team space is the same content as in the repository, records management policies can be applied on any individual item in the team space, for example. In addition, TCM can version and lock down discussion threads and e-mail attachments, and collaboration sessions can be declared as records without users being trained on records management policies. ...

Documentum will use AIIM 2004 to launch its Compliance Manager, a Web-based application for securely creating, storing, and distributing information in an audited environment. Compliance Manager also allows users to develop and monitor content-related processes in accordance with regulatory requirements, company officials said. Compliance Manager was built on the Documentum DocControl Manager product and leverages the Documentum ECM platform.

The nation's four largest e-mail account providers yesterday announced a coordinated legal attack on spammers, using a new federal law to file six lawsuits in courts around the country.

The suits by America Online, EarthLink Inc., Microsoft Corp. and Yahoo Inc. target what their lawyers called some of the largest spam operations, accounting for hundreds of millions of e-mails hitting their networks every month.

This is certainly good news; but I think we make an error in treating unsolicited commercial e-mail as an Internet problem. The Internet is the medium, the problem is financial and criminal. Most unsolicited commercial e-mail is fraudulent and actionable under existing law. As in, why aren't these guys in jail?

Nothing in this writer’s research has explained why VISA, Mastercard, et al, tolerate spammers. Without credit cards spamming would not be possible. So why do these companies traffic with such operators? We need to make this a customer relations issue.

Wednesday, March 10, 2004

Scott Granneman has a detailed description how Google's search power exacerbates existing security problems, from the article:

On the other side of the coin we have complexity. For all the ease that has come about in the past several years, no matter how simple it has become for Bob in Marketing to publish the company's public sales figures online, the fact remains that we're dealing with complex systems that have many, many points of potential failure. That knowledge scares the hell out of the people who live security, while Bob goes blithely on successfully publishing the company's public sales figures ... and accidentally publishing the spreadsheet containing the company's top customers, complete with contact info, sales figures, and notes about who the salespeople think are good for a few thousand more this year.

I would add some additional observations; Bob in Marketing cannot reasonably be expected to be an internet publishing expert, even less can he be expected to be a security expert. Vendors must address security issues without delay.

Monday, March 08, 2004

Last Wednesday Steve Janiszewski of PS&J Software Six Sigma spoke to DC Spin on how to use the Six Sigma model to improve the process of software development.

Six Sigma quality level means that products have fewer than 3.4 defects per million opportunities, i.e. the product is 99.9997% error-free. It came out of the manufacturing sector. In 1995 Janiszewski was at Allied Signal when the CEO decided that Allied Signal would become a Six Sigma organization. It soon became apparent that software development is different from manufacturing and the Six Sigma model had to be adjusted accordingly.

Unlike manufacturing, software developers do not build the exact same product over and over again. Process variation can never be reduced below a moderate level and specifications are not based around tolerances.

Janiszewski said that to a software developer, Six Sigma can look like a freight train. But it can be complementary to the Capability Maturity Model (CMM) process. CMM is susceptible to inertia and organizations can take years to move from one level to another and many organizations drop back a level within months of an assessment. Moreover, Janiszewski suggested that most of the benefits of CMM come at levels 4 and 5. (I have to say that at earlier meetings I have heard exactly the reverse, that most of the gains come at the beginning, when an organization moves from a chaotic environment to one where there is a process. TechnoFlak is happy to run guest posts by anyone wishing to weigh in on this question.) It is possible to be technically compliant with CMM and have no productivity gains.

Six Sigma starts with business results. Janiszewski laid great stress on the importance of defining specific business goals. Data analysis is used to identify which processes have the greatest impact on those goals and what are the critical inputs for those processes.

Throughout his presentation Janiszewski emphasized the need for inspection, measurement, data analysis and feedback. The inspection process must not be rushed; inspectors who are given too many lines of code to review will miss errors. Managing integration & test means managing defects. 70% of the defects are likely to occur in 20% of the modules. The Six Sigma process will help developers identify those modules which should be scrapped and reworked.

Computerworld weighs in on the search for quality. This article is an excellent overview on the different models, who uses them and their strengths and weaknesses:

Today, IT managers have a bewildering array of quality disciplines to choose from. Some, such as Six Sigma, ISO 9000 and the Malcolm Baldrige program, may be dictated to you by your CEO. Others, such as Control Objectives for Information and Related Technology (CobiT), may be imposed by your auditors. And IT-focused disciplines may originate in your own shop, such as CMM for software development and the Information Technology Infrastructure Library (ITIL) for IT operations and services.

While there is some overlap among these quality frameworks, in most cases, they don't conflict. Indeed, most large companies use two or three of them. For example, IBM uses ISO 9000, CMM, ITIL, Six Sigma and several homegrown quality programs.

Actually, it is not difficult to come up with a scenario for a truly hilarious series of Dilbert cartoons, based on the simultaneous adoption of different quality models.

Maryfran Johnson of Computerworld has written a biting editorial about our Department of Homeland Security:

Given that the private sector owns and operates 85% of the critical infrastructure that keeps our lights on and water flowing, this may seem like the natural course of events. But at least part of the fantasy behind spending billions of our tax dollars on the DHS was to create an agency that could orchestrate a public/private collaboration on security matters. "I think largely we've dropped the ball," says Richard Clarke, former chairman of the President's Critical Infrastructure Protection Board.

CIOs and senior IT executives would no doubt agree. They've all noticed that there are no incentives in the 1-year-old "National Strategy to Secure Cyber Space" plan for private industry. No tax credits. No cost sharing. No real reason to care.

The companies that do care, however, are computer industry vendors and service providers. They influence DHS strategy and direction through a handful of powerful lobbying groups, the most prominent being the Information Technology Association of America. Their agendas boil down to this: Prevent any new government regulations or reporting requirements that would mandate changes in IT products. So far, mission accomplished.

Just once I would like to see a trade association recognize that being the public's advocate to the industry is at least as important as being the industry's advocate to the public.

Saturday, March 06, 2004

Robert Cringely has a great column on venture capitalists and went wrong:

Last week's column, if you missed it, was about how you really can't emigrate to India even if you wanted to, and about how our current economic malaise can be traced back to irresponsible venture capitalists who are refusing to dump money into new ventures because they are afraid. They could change things in a heartbeat, but they don't. Well, Mac had a corollary story that looks at the same effect from a different angle.

"In times of uncertainty," wrote Mac, "don't be Mark Twain ("Put all your eggs in one basket, and watch that basket!" -- it didn't work for him anyway). Instead, bet on serendipity -- don't invest in ONE big idea -- invest in 10 ideas that are your best guesses as to the widest range of possibly big ideas. You don't know but what the heck, NOBODY knows."

"This gives you ten chances to win, instead of one."

"This is in fact where the awful statistics that traditionally are quoted for VCs originate: They invest in many possible companies too early to tell if they are brilliant or dumb. Six fail, some spectacularly. Two limp along. One does pretty well. And one is a huge hit -- and not the one you would have bet on had you been forced to bet on just one."...

There was a time when American industry believed in Mac's field of flowers. New business units were started to prove or disprove product and service ideas. Most of these ideas didn't work out, but most of them didn't cost very much money, either, so big companies like GE and 3M had no trouble carrying the bad ones for just long enough to see if they'd work. But then came the 1980s with its spreadsheet jockeys, and the game changed to letting little companies come up with the new ideas, then simply buying-up those little companies as they started to succeed.

This new system required capital to start and build the little companies and the VC community was able to provide that. The goals were modest -- a 20 percent compounded annual rate of return to venture fund investors. And it generally worked. But then came the Internet fever of the late-1990s when the goal changed from that 20 percent return to what the VCs liked to call the "hundred bagger." A hundred bagger is a startup that returns 100 times the original investment. There have been very few hundred baggers, but the fact that for awhile there were some has had a horrible effect on the venture capital business, because now any investment that doesn't have hundred bagger potential is viewed as not worth making at all.

That's just plain stupid, of course.

The goal is no longer to make a certain return, but to find a hundred bagger -- something that is just about impossible to do. You can stumble on a hundred bagger, you can luck into it, but actually setting out to invest only in businesses you feel are likely to return 100X, well that pretty much means you'll never invest again, which is the way the VC business feels right now.

Techdirt has an interesting post on the continuing battle between ad blockers and advertisers:

Most people know that lazy (bad) marketers are never going to realize that forcing annoying ads on people is not the proper way to build a sustainable business, but is it too much to hope that some will realize there's a better way? These days they just seem to move from one bad idea to another. As more and more people have started using pop-up blockers, advertisers are increasingly switching to "rich media" ads, usually using Flash technology, that takes over the browser to display some ad, rather than what the surfer is looking for. That is, instead of realizing that people don't want to see their ads, and maybe such intrusive and annoying solutions are a bad idea - they just find new intrusive and annoying methods that get around the blockers. As we were just discussing, this pisses people off, because it screws up the reason they're online. Pissing off your potential customers doesn't seem like a good long term strategy. Already, the various ad blockers are working to block out these rich media ads as well, and we can be pretty sure that these same lazy marketers will put what little effort they have into coming up with another annoying and intrusive ad campaign - rather than figuring out how to deliver something people want.

No business ever won a war with their customers. Ad blockers exist not simply because readers don't like looking at advertising, but because online advertising sucks up so much bandwidth that it interferes with the reader's experience. Readers don't want to wait for the ads to download so they can look at their favorite web site. There must be ways of creating inviting banner ads that download easily and generate enough interest to drive traffic to the advertisers web site.

Friday, March 05, 2004

I asked Shawn Presson, of ITS Services, what he thought of Koch's article in CIO and he kindly sent me this reponse:

Mr. Koch’s article quotes Jay Douglass as saying "You can be a Level 5 organization that produces…garbage." My first response is to question how an organization that produces garbage can sustain true Level 5 operations, or even attain them in the first place. It’s expensive, it is hard, and I marvel at organizations that don’t eventually want to know if the effort is supporting the bottom line, not just the top line. But then, we’ve all heard, "garbage in, garbage out." A flat requirement to report a Maturity Level without understanding is a garbage requirement that has resulted in garbage results. Unfortunately, the credibility of a very useful model is being compromised as a result.

There are many war stories that highlight this state of affairs. One of my colleagues was tasked to perform an appraisal on a company for Maturity Level 4. As part of the normal upfront work, he asked what indicators made this company feel ready for a Level 4 appraisal. The response: "Because we’re profitable!" Further conversation made it clear that the company representative did not even understand Maturity Level 2 principles. In reality, there are many Level 1 shops that are obscenely profitable. The problem is that the capability of these shops can come crashing down as soon as a few key people take another job or fall ill. Mere profitability is not an indicator of maturity.

Another story: at a process improvement conference, I met a man who worked in an offshore shop that had been appraised at Maturity Level 4. This organization had well over 300 projects, and each project had something called "tailoring guidelines." When I asked how thick these guidelines were, this man indicated a size reminiscent of the Manhattan White Pages. I asked if those "guidelines" were the result of adapting the organization’s process definitions to the project. He replied that no, those adopted process descriptions were yet another set of documents. I then asked whether the guidelines were copied from the organization’s set of rules for adapting the standard processes. He said no, they were written uniquely for each project. I then asked how much variability this introduced from one project to the next, and how could processes be quantifiably managed across the organization. I saw the realization flicker in his eyes: they couldn’t be, and the organization was not truly operating at Level 4. I didn’t have the heart to tell him that the organization probably was not Level 3, nor did I ask who the lead appraiser was. Understand that his managers weren’t necessarily "bad" people, they simply were being forced to do something they didn’t understand, and someone subsequently had told them they had succeeded.

So what is a CIO to do? Aside from Mr. Koch’s due-diligence questions (more on those later), first quit paying so much attention to organizations touting their maturity level. Invoke Presson’s (immodestly named) Inverse Font Size Law, which states that the probability of an organization having a certain maturity level is inversely proportional to the size of the banner hung on the building. Realize that "the level number and a dime will get you a cup of coffee."

Secondly, demand to see performance indicators. I enjoy working with organizations that say things like, "Here are our performance metrics. What? Our CMM maturity? Oh, yeah, we’re also Level x against the CMMI." A mature shop should be full of people bragging about their performance. They may get somewhat irritated when you keep harping on the number, because they know it is a single data point.

Thirdly, learn the model. Learn what it means. Learn to spot the ridiculous contradictions that companies try to get away with - and often do. For example, Mr. Koch’s article says, "If the company does not have an excellent training program for all its project managers and developers…the assessment means little." That is an understatement. A reasonable training program is a Maturity Level 3 requirement, and if this is not in place then Level 3 and any higher level is not possible. In other words, the assessment Mr. Koch refers to probably not only "means little," it probably is a deliberate sham. A sponsor should be able to spot that and many other indicators.

Fourthly, do ask questions, do perform the due diligence. Mr. Koch wrote, "Only if CIOs ask tough questions will they be able to distinguish between the companies that are exaggerating their CMM claims and those that are focused on real improvement." I’d like to expand on that statement. Only when CIOs use the CMMs to suggest acquisition risk, and sponsor risk-focused appraisals, will they determine real improvement within their suppliers. Only when CIOs learn the tradeoffs and benefits of the maturity levels, and demand maturity only within the context of the need will they promote real performance among their suppliers. In short, until CIOs mature their acquisition behavior, the models will fail to deliver their potential benefits.

Question #3 on Mr. Koch’s list was, "How long ago was this done?" Ask not only how long ago the appraisal was done, but also find out the rate of growth and turnover in that company. Organizational maturity can be a fragile thing due to growth, mergers, reorganizations, and other upheavals. An appraisal performed six weeks ago could have weakened value under certain circumstances, much less one two years ago.

Question #9 gives the example of a financial services organization wanting to see that at least one of the appraised projects dealt with financial processes. If CIOs take control of this appraisal, they could demand that the scope of an appraisal only include project involved in financial processes. The scope is a negotiable thing, and acquirers should understand how defining the "organization" impacts the appraisal outcomes.

Question #7 asks, "Was the appraiser from inside or outside the organization?" This is a critical question. Some corollaries would be, "Who paid the appraiser? Were the other team members also from outside the organization?" Enough said.

#11 on Mr. Koch’s list is, "How many project managers who were assessed at CMMI Level 5 will be on your project team?" Theoretically, anyone working within the organizational scope at Level 5 should be capable of leading a project about as well as anyone else. Tom DeMarco and Timothy Lister’s Code War research showed that various aspects of the organization were critical enablers or hindrances to developer performance, and that ranges of capability between top and bottom performers in companies were not that variable. Mean performance would vary dramatically from one company to the next, however, due to the organizational characteristics. This doesn't mean that people don't make a difference. If a company runs a Level 5 organization as a subset of an enterprise, then moving people into that organization can represent critical risk if this is not carefully managed (see the next question.)

Question #12 asks "How does the company train new people to be CMM Level 5?" This question touches on orientation, training, mentoring, and other methods used to ensure personnel know how to do their job. As mentioned before, there is an entire process area at Maturity Level 3 focused on this, and all the process areas from Level 2 through Level 5 share a requirement that personnel be trained in performing the functions described within each respective process area. This question alone could merit a focused assessment.

The bottom line is that CIOs and other acquisition entities suffer from a situation of their own collective creation. At risk are the credibility of CIOs basing acquisitions upon CMM ratings, and the credibility of the CMM models themselves. As Mr. Koch writes, there is indeed no substitute for due diligence. CIOs must understand what the CMMs are for, know their contents and understand the history of the legacy appraisal methods. They should use current models and appraisal methods to mitigate risks, not to generate a falsely comforting, single-number indicator.

Wednesday, March 03, 2004

Another great article on the recent worm attacks and their possible relationship to unsolicited commercial email from SecurityPipeline:

Less ambiguous is this year's sheer number of attacks, with anti-virus vendors noting that more emergency alerts have been released in the first two months of 2004 than in all of 2003, more than fulfilling prognostications that this is going to be a very bad year for worms and viruses.

That will, of course, make it a good year for security and anti-virus vendors, as well as for hardware vendors responding to the rising number of security threats.

But even as vendors see their market grow, this sort of multiple attack--and the increasingly complex relationship between hackers and spammers--might be too much of a bad thing.

SecurityTracker is the best resource I know of for tracking security vulnerabilities.

Monday, March 01, 2004

CIO has a fascinating story about Capability Maturity Model (CMM) appraisals with allegations of bribery and fraud. From the article:

As American and European companies stampede offshore to find companies to do their development work, they first need to understand what CMM ratings really mean. Yet few CIOs bother to ask crucial questions, say IT industry analysts and the service providers themselves. "Not even 10 percent of customers ask for the proof of our CMM," says V. Srinivasan, managing director and CEO of ICICI Infotech, an Indian software services provider that claims a Level 5 certification. "They inevitably take it for granted, and they don't ask for the details." ...

If this is true, why are American firms failing to press for verification of claims of CMM appraisals? Because they are naive about false claims? Or because they are interested in cheap labor and do not want to hear anything that would complicate their plans to shift work overseas?

Where CMM Comes From
The CMM was a direct response to the Air Force's frustration with its software buying process in the 1980s. The Air Force and other DoD divisions had begun farming out increasing amounts of development work and had trouble figuring out which companies to pick. Carnegie Mellon University in Pittsburgh won a bid to create an organization, the SEI, to improve the vendor vetting process. It hired Humphrey, IBM's former software development chief, to participate in this effort in 1986.

Humphrey decided immediately that the Air Force was chasing the wrong problem. "We were focused on identifying competent people, but we saw that all the projects [the Air Force] had were in trouble—it didn't matter who they had doing the work," he recalls. "So we said let's focus on improving the work rather than just the proposals." ....

This is a little off-topic from the article’s subject, but few Americans appreciate how much our government does to insure quality. In private industry if a project is over-budget and behind schedule, it is all just swept under the rug, unless the failure is spectacular, like the failed enterprise resource planning system that prevented Hershey’s from getting candy to market in time for Halloween.

The depth and wisdom of the CMM itself is unquestioned by experts on software development. If companies truly adopt it and move up the ladder of levels, they will get better at serving their customers over time, according to anecdotal evidence. But a high CMM level is not a guarantee of quality or performance—only process. It means that the company has created processes for monitoring and managing software development that companies lower on the CMM scale do not have. But it does not necessarily mean those companies are using the processes well. ...

Truth in Advertising
Stories about false claims abound. Ron Radice, a longtime lead appraiser and former official with the SEI, worked with a Chicago company that was duped in 2003 by an offshore service provider that falsely claimed to have a CMM rating. "They said they were Level 4, but in fact they had never been assessed," says Radice, who declined to name the guilty provider. ....

Now that CMM has become table stakes for billions worth of business, some believe that providers should bite the bullet and get all their projects assessed if they are going to claim "enterprise Level 5 CMM."

"If I were a CIO and a company was telling me their entire company was CMM 5, I'd want all the people on my project to have gone through the assessment," says Margo Visitacion, a Forrester Research analyst and former quality assurance manager at a software development company. "[The service providers] are getting millions in business from their CMM levels. Why shouldn't they have all of their developers go through an assessment?"....

In all the meetings I have attended discussing CMM it is generally agreed that it is preferable to have one group go through the process and then show its gains to the rest of the company. It is easier to get the rest of the company on board if you can show results, so a pilot group makes sense. And I would think you would want to give them some sort of recognition, at least in the form of a successful appraisal they can show off. Perhaps on corporate web sites companies should be more specific on which part of their company has completed appraisal. There are plenty of ways to do that with maximum positive spin that are not misleading.

How Much for That Certification?
Appraisers continue to cheat too, according to their colleagues. The pressure on appraisers, in fact, is higher than ever today, especially with offshore providers competing in the outsourcing market. Frank Koch, a lead appraiser with Process Strategies Inc., another software services consultancy, says some Chinese consulting companies he dealt with promised a certain CMM level to clients and then expected him to give it to them. "We don't do work for certain [consultancies in China] because their motives are a whole lot less than wholesome," he says. "They'd say we're sure [certain clients] are a Level 2 or 3 and that's unreasonable, to say nothing of unethical. The term is called selling a rating." ...

Well what do you expect of a society who is content to roll tanks over peaceful demonstrators? I simply cannot believe the naiveté about China. Why does anyone suppose that those who run sweatshops, dump toxic waste into local rivers, are going to live up to promises of quality or respect business contracts?

More recently, the SEI toughened up the CMM itself and plans to completely replace it (as of December 2005) with a broader, more in-depth model called CMMI. In the process, it has increased the training requirements and controls on appraisers. According to Hayes, under CMMI, the SEI reviews each appraisal that comes in for irregularities. And under CMMI, appraisers have to file a report called an Appraisal Disclosure Statement that clearly states which parts of the organization and projects were assessed, as well as all the people who took part in the assessment (though assessed companies are not required to reveal that report publicly, either). The SEI, along with the lead appraiser community, is also developing a "code of ethics" for appraisers.

Sounds like a good beginning. SEI needs to respond to the issues raised by this article and I look forward to hearing their response.

Christopher Koch has a terrific article on the Capability Maturity Model (CMM) appraisal process in CIO. I will be posting more about it later today, but for now I want to talk about anonymous sources. His article begins with serious allegations of bribery and fraud; but there are no named sources. The is very troubling in an otherwise excellent article.

To any newsmaker, or aspiring newsmaker, who chances upon this post, never be an anonymous source. Just because you see it everyday in your hometown newspaper doesn’t make it right.

To my fellow flaks, whatever advantages we gain for our clients by pressuring reporters to keep names off the record, we lose far more by contributing to a media climate where anonymous accusations can thrive. Let us use our collective power to put an end to this pernicious practice.

If we are to have any sort of honest dialog in this country we need to learn to speak openly. From my article on Do-It-Yourself PR for Technology Companies in The Capitol Image:

Do not speak off the record. Reporters hate that. Reporters are right. If you cannot go on the record with a comment, that is a clue that it should remain unsaid. Anonymous sources have done our country incalculable damage. Do not be part of it.